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To  ensure  confidentiality  with  respect  to  medical  records  and  health  care 
related  information,  and  for  other  purposes. 


IN  THE  HOUSE  OF  REPRESENTATIVES 

July  12,  1999 

Mr.  Greenwood  (for  himself,  Mr.  Shays,  Mr.  Norwood,  Mr.  LaTourette, 
Mr.  Burr  of  North  Carolina,  and  Mr.  Upton)  introduced  the  following 
bill;  which  was  referred  to  the  Committee  on  Commerce,  and  in  addition 
to  the  Committee  on  the  Judiciary,  for  a  period  to  be  subsequently  deter- 
mined by  the  Speaker,  in  each  case  for  consideration  of  such  provisions 
as  fall  within  the  jurisdiction  of  the  committee  concerned 


A  BILL 

To  ensure  confidentiality  with  respect  to  medical  records 
and  health  care-related  information,  and  for  other  purposes. 

1  Be  it  enacted  by  the  Senate  and  House  of  Representa- 

2  tives  of  the  United  States  of  America  in  Congress  assembled, 

3  SECTION  1.  SHORT  TITLE;  TABLE  OF  CONTENTS. 

4  (a)  Short  Title. — This  Act  may  be  cited  as  the 

5  "Medical  Information  Protection  and  Research  Enhance- 

6  ment  Act  of  1999". 

7  (b)  Table  of  Contents. — The  table  of  contents  for 

8  this  Act  is  as  follows: 
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Sec.  1.  Short  title;  table  of  contents. 
Sec  2.  Definitions. 

TITLE  I— INDIVIDUAL'S  RIGHTS 

Subtitle  A — Re\iew  of  Protected  Health  Information  by  Subjects  of  the 

Information 

Sec.  101.  Inspection  and  copying-  of  protected  health  information. 
Sec.  102.  Amendment  of  protected  health  information. 
Sec.  103.  Notice  of  confidentiality  practices. 

Subtitle  B — Establishment  of  Safeguards 

Sec.  111.  Establishment  of  safeguards. 
Sec.  112.  Accounting  for  disclosures. 

TITLE  II— RESTRICTIONS  ON  USE  AND  DISCLOSURE 
Sec.  201.  General  niles  regarding  use  and  disclosure. 

Sec.  202.  General  rules  regarding  use  and  disclosure  of  health  care  information. 
Sec.  203.  Authorizations  for  use  or  disclosure  of  protected  health  information 

other  than  for  treatment,  payment,  health  care  operations,  or 

health  research. 
Sec.  204.  Next  of  kin  and  directory  information. 
Sec.  205.  Emergency  circumstances. 
Sec.  206.  Oversight. 
Sec.  207.  Public  health. 
Sec.  208.  Health  research. 

Sec.  209.  Disclosure  in  civil,  judicial,  and  administrative  procedures. 

Sec.  210.  Disclosure  for  law  enforcement  purposes. 

Sec.  211.  Payment  card  and  electronic  payment  transaction. 

Sec.  212.  Individual  representatives. 

Sec.  213.  No  liability  for  permissible  disclosures. 

Sec.  214.  Sale  of  business,  mergers,  etc. 

TITLE  III— SANCTIONS 

Subtitle  A — Criminal  Provisions 

Sec.  301.  Wrongful  disclosure  of  protected  health  information. 

Subtitle  B — Civil  Sanctions 

Sec.  311.  Civil  penalty  violation. 

Sec.  312.  Procedures  for  imposition  of  penalties. 

Sec.  313.  Enforcement  by  State  insurance  commissioners. 

TITLE  rV— MISCELLANEOUS 

Sec.  401.  Relationship  to  other  laws. 

Sec.  402.  Conforming  amendment. 

Sec.  403.  Study  by  Institute  of  Medicine. 

Sec.  404.  Effective  date. 

1  SEC.  2.  DEFINITIONS. 

2  As  used  in  this  Act: 
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1  (1)  Accrediting  body. — The  term  "accred- 

2  iting  body"  means  a  national  body,  committee,  orga- 

3  nization,  or  institution  (such  as  the  Joint  Commis- 

4  sion  on  Accreditation  of  Health  Care  Organizations 

5  or  the  National  Committee  for  Quality  Assurance) 

6  that  has  been  authorized  by  law  or  is  recognized  by 

7  a  health  care  regulating  authority  as  an  accrediting 

8  entity  or  any  other  entity  that  has  been  similarly  au- 

9  thorized  or  recognized  by  law  to  perform  specific  ac- 

10  creditation,  licensing  or  credentialing  activities. 

11  (2)  Agent. — The  term  "agent"  means  a  per- 

12  son,  including  a  contractor,  who  represents  and  acts 

13  for  another  under  the  contract  or  relation  of  agency, 

14  or  whose  function  is  to  bring  about,  modify,  effect, 

15  accept  performance  of,  or  terminate  contractual  obli- 

16  gations  between  the  principal  and  a  third  person. 

17  (3)  Common  rule. — The  term  "common  rule" 

18  means  the  Federal  policy  for  protection  of  human 

19  subjects  from  research  risks  originally  published  as 

20  56  Federal  Register  28.025  (1991)  as  adopted  and 

21  implemented  by  a  Federal  department  or  agency. 

22  (4)  Disclose/disclosure. — The  term  "dis- 

23  close"  means  to  release,  transfer,  provide  access  to, 

24  or  otherwise  divulge  protected  health  information  to 

25  any  person  other  than  the  individual  who  is  the  sub- 
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1  ject  of  such  information.  The  term  "disclosure"  re- 

2  fers  to  such  a  release,  transfer,  provisions  for  access 

3  to,  or  communication  of  such  information.  The  use 

4  of  protected  health  information  by  an  authorized 

5  person  and  its  agents  shall  not  be  considered  a  dis- 

6  closure  for  purposes  of  this  Act,  provided  that  the 

7  use  is  consistent  with  the  purposes  for  which  the  in- 

8  formation  was  lawfully  obtained.  Using  or  providing 

9  access  to  health  information  in  the  form  of  non- 
10  identifiable  health  information  shall  not  be  construed 

11  as  a  disclosure  of  protected  health  information. 

12  (5)  Employer. — The  term  "employer"  has  the 

13  meaning  given  such  term  under  section  3(5)  of  the 

14  Employee  Retirement  Income  Security  Act  of  1974 

15  (29  U.S.C.  1002(5)),  except  that  such  term  shaU  in- 

16  elude  only  employers  of  two  or  more  employees. 

17  (6)  Health  care. — The  term  "health  care" 

1 8  means — 

19  (A)  preventive,  diagnostic,  therapeutic,  re- 

20  habilitative,  maintenance,  or  palliative  care,  in- 

21  eluding  appropriate  assistance  with  disease  or 

22  symptom  management  and  maintenance,  coun- 

23  seling,  service,  or  procedure — 

24  (i)  with  respect  to  the  physical  or 

25  mental  condition  of  an  individual;  or 
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1  (ii)  affecting  the  structure  or  function 

2  of  the  human  body  or  any  part  of  the 

3  human  body,   including  the  banking  of 

4  blood,  sperm,  organs,  or  any  other  tissue; 

5  or 

6  (B)  pursuant  to  a  prescription  or  medical 

7  order  any  sale  or  dispensing  of  a  drug,  device, 

8  equipment,  or  other  health  care  related  item  to 

9  an  individual,  or  for  the  use  of  an  individual. 

10  (7)  Health  care  operations. — The  term 

11  "health  care  operations"  means  services  provided  by 

12  or  on  behalf  of  a  health  plan  or  health  care  provider 

13  for  the  purpose  of  carrying  out  the  management 

14  functions  of  a  health  care  provider  or  health  plan,  or 

15  implementing  the  terms  of  a  contract  for  health  plan 

16  benefits,  including — 

17  (A)   coordinating  health   care,  including 

18  health   care   management   of  the  individual 

19  through  risk  assessment  and  case  management; 

20  (B)  conducting  quality  assessment  and  im- 

21  provement  activities,  including  outcomes  evalua- 

22  tion,  clinical  guideline  development,  and  im- 

23  provement; 

24  (C)  reviewing  the  competence  or  qualifica- 

25  tions  of  health  care  professionals,  evaluating 
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1  provider  performance,  and  conducting  health 

2  care  education,  accreditation,  certification,  li- 

3  censing,  or  credentialing  activities; 

4  (D)  carrying  out  utilization  review  activi- 

5  ties,  including        precertification  and 

6  preauthorization  of  services,  and  health  plan 
rating  and  insurance  activities,  including  under- 
writing, experience  rating  and  reinsurance;  and 

9  (E)  conducting  or  arranging  for  auditing 

10  services,  including  fraud  detection  and  compli- 

i  1  ance  programs. 

12  (8)    Health    care    provider, — The  term 

13  1  'health  care  provider"  means  a  person,  who  with  re- 
4  spect  to  a  specific  item  of  protected  health  informa- 

15  tion,  receives,  creates,  uses,  maintains,  or  discloses 

16  the  information  while  acting  in  whole  or  in  part  in 

17  the  capacity  of — 

18  (A)  a  person  who  is  licensed,  certified,  reg- 

19  istered,  or  otherwise  authorized  by  Federal  or 

20  State  law  to  provide  an  item  or  service  that 

21  constitutes  health  care  in  the  ordinary  course  of 

22  business,  or  practice  of  a  profession; 

23  (B)  a  Federal,  State,  employer  sponsored 

24  or  other  privately  sponsored  program  that  di- 
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1  rectly  provides  items  or  services  that  constitute 

2  health  care  to  beneficiaries;  or 

3  (C)  an  officer  or  employee  of  a  person  de- 

4  scribed  in  subparagraph  (A)  or  (B). 

5  Such  term  does  not  include  a  person  that  provides 

6  no  health  care  and  that  provides  only  a  religious 

7  method  for  healing. 

8  (9)  Health  oversight  agency. — The  term 

9  "health  oversight  agency"  means  a  person  who,  with 

10  respect  to  a  specific  item  of  protected  health  infor- 

11  mation,  receives,  creates,  uses,  maintains,  or  dis- 

12  closes  the  information  while  acting  in  whole  or  in 

13  part  in  the  capacity  of — 

14  (A)  a  person  who  performs  or  oversees  the 

15  performance  of  an  assessment,  evaluation,  de- 

16  termination,  or  investigation,  relating  to  the  li- 

17  censing,      accreditation,      certification,  or 

1 8  credentialing  of  health  care  providers;  or 

19  (B)  a  person  who — 

20  (i)  performs  or  oversees  the  perform- 

21  ance  of  an  audit,  assessment,  evaluation, 

22  determination,  or  investigation  relating  to 

23  the  effectiveness  of,  compliance  with,  or 

24  applicability  of,  legal,  fiscal,  medical,  or 

25  scientific  standards  or  aspects  of  perform- 
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1 

ance  related  to  the  delivery  of  health  care; 

2 

and 

3 

(ii)  is  a  public  agency,  acting  on  be- 

4 

half  of  a  public  agency,  acting  pursuant  to 

5 

a  requirement  of  a  public  agency,  or  car- 

6 

rying  out  activities  under  a  Federal  or 

7 

State  law  governing  the  assessment,  eval- 

8 

uation,    determination,    investigation,  or 

9 

prosecution  described  in  subparagraph  (A). 

10 

(10)  Health  plan. — The  term  "health 

11 

plan"  has  the  meaning  given  such  term  in  sec- 

12 

tion  1171(5)  of  the  Social  Security  Act  (42 

13 

U.S.C.  1320d(5))  and  includes  any  health  in- 

14 

surance  issuer,  health  insurance  plan  (including 

15 

any  hospital  or  medical  service  plan,  dental  or 

16 

other  health  service  plan,  or  health  maintenance 

17 

organization  plan),  provider  sponsored  organi- 

18 

zation,  or  other  program  providing  or  arranging 

19 

for  the  provision  of  health  benefits.  Such  term 

20 

does  not  include  any  policy,  plan,  or  program  to 

21 

the  extent  that  it  provides,  arranges,  supports, 

22 

or  administers  any  excepted  benefits  (as  defined 

23 

in  section  2791(c)(1)  of  the  Public  Health  Serv- 

24 

ice  Act  (42  U.S.C.  300gg-91(c)(l))). 

•HR  2470  IH 


9 

1  (11)     Health     reseakch/health  re- 

2  SEARCHER. — The  term  "health  research"  means  a 

3  systematic  investigation  of  health  (including  but  not 

4  limited  to  basic  biological  processes  and  structures), 

5  health  care,  or  its  delivery  and  financing,  including 

6  research  development,  testing  and  evaluation,  de- 

7  signed  to  develop  or  contribute  to  generalizable 

8  knowledge  concerning  human  health,  health  care,  or 

9  health  care  delivery.  The  term  "health  researcher" 

10  means  a  person  involved  in  health  research,  or  an  of- 

1 1  ficer,  employee,  or  agent  of  such  person. 

12  (12)  Key. — The  term  "key"  means  a  method 

13  or   procedure   used   to   transform  nonidentifiable 

14  health  information  that  is  in  a  coded  or  encrypted 

15  form  into  protected  health  information. 

16  (13)  Law  enforcement  inquiry. — The  term 

17  "law  enforcement  inquiry"  means  a  lawful  investiga- 

18  tion  or  official  proceeding  inquiring  into  a  violation 

19  of,  or  failure  to  comply  with,  any  criminal  or  civil 

20  statute  or  any  regulation,  rule,  or  order  issued  pur- 

21  suant  to  such  a  statute. 

22  (14)  Life  insurer. — The  term  "life  insurer" 

23  means  life  insurance  company  as  defined  in  section 

24  816  of  the  Internal  Revenue  Code  of  1986. 
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1  (15)     NONIDENTIFIABLE     HEALTH  INFORMA- 

2  TION. — The  term  "nonidentifiable  health  informa- 

3  tion"   means   protected   health   information  from 

4  which  personal  identifiers,  that  directly  reveal  the 

5  identity  of  the  individual  who  is  the  subject  of  such 

6  information  or  provide  a  direct  means  of  identifying 

7  the  individual  (such  as  name,  address,  and  social  se- 

8  curity  number),  have  been  removed,  encrypted,  or 

9  replaced  with  a  code,  such  that  the  identity  of  the 

10  individual  is  not  evident  without  (in  the  case  of 

1 1  encrypted  or  coded  information)  use  of  key. 

12  (16)  Originating  provider. — The  term  "orig- 

13  inating  provider"  means  a  health  care  provider  who 

14  initiates  a  treatment  episode,  such  as  prescribing  a 

15  drug,  ordering  a  diagnostic  test,  or  admitting  an  in- 

16  dividual  to  a  health  care  facility.  A  hospital  or  nurs- 

1 7  ing  facility  is  the  originating  provider  with  respect  to 

18  protected  health  information  created  or  received  as 

19  part  of  inpatient  or  outpatient  treatment  provided  in 

20  such  settings. 

21  (17)     Payment. — The     term  "payment" 

22  means — 

23  (A)  the  activities  undertaken  by — 
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1  (i)  or  on  behalf  of  a  health  plan  to  de- 

2  termine    its    responsibility    for  coverage 

3  under  the  plan;  or 

4  (ii)  a  health  care  provider  to  obtain 

5  payment  for  items  or  services  provided  to 

6  an  individual,  provided  under  a  health 

7  plan,  or  provided  based  on  a  determination 

8  by  the  health  plan  of  responsibility  for  cov- 

9  erage  under  the  plan;  and 

10  (B)  activities  undertaken  as  described  in 

11  subparagraph  (A)  including — 

12  (i)  billing,  claims  management,  med- 

13  ical  data  processing,  other  administrative 

14  services,  and  actual  payment; 

15  (ii)  determinations  of  coverage  or  ad- 

16  judication  of  health  benefit  or  subrogation 

17  claims;  and 

18  (iii)  review  of  health  care  services  with 

19  respect  to  coverage  under  a  health  plan  or 

20  justification  of  charges. 

21  (18)  PERSON. — The  term  "person"  means  a 

22  government,  governmental  subdivision,  agency  or  au- 

23  thority;   corporation;   company;    association;  firm; 

24  partnership;  society;  estate;  trust;  joint  venture;  indi- 
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1  vidual;  individual  representative;  tribal  government; 

2  and  any  other  legal  entity. 

3  (19)  Protected  health  information. — The 

4  term  "protected  health  information"  with  respect  to 

5  the  individual  who  is  the  subject  of  such  information 

6  means  any  information  which  identifies  such  indi- 

7  vidual,  whether  oral  or  recorded  in  any  form  or  me- 

8  dium,  that — 

9  (A)  is  created  or  received  by  a  health  care 

10  provider,  health  plan,  health  oversight  agency, 

11  public  health  authority,  employer,  life  insurer, 

12  school  or  university; 

13  (B)  relates  to  the  past,  present,  or  future 

14  physical  or  mental  health  or  condition  of  an  in- 

15  dividual  (including  individual  cells  and  their 

16  components); 

17  (C)  is  derived  from — 

18  (i)  the  provision  of  health  care  to  the 

19  individual;  or 

20  (ii)   payment   for   the   provision  of 

21  health  care  to  the  individual;  and 

22  (D)  is  not  nonidentifiable  health  informa- 

23  tion. 

24  (20)  Public  health  authority. — The  term 

25  "public  health  authority"  means  an  authority  or  in- 
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1  strumentality  of  the  United  States,  a  tribal  govern- 

2  ment,  a  State,  or  a  political  subdivision  of  a  State 

3  that  is — 

4  (A)  primarily  responsible  for  health  and/or 

5  welfare  matters;  and 

6  (B)  primarily  engaged  in  activities  such  as 

7  incidence  reporting,  public  health  surveillance, 

8  and  investigation  or  intervention. 

9  (21)    School   or   university. — The  term 

10  "  school  or  university"  means  an  institution  or  place 

11  accredited  or  licensed  for  purposes  of  providing  for 

12  instruction  or  education,  including  an  elementary 

13  school,  secondary  school,  or  institution  of  higher 

14  learning,  a  college,  or  an  assemblage  of  colleges 

15  united  under  one  corporate  organization  or  govern- 

1 6  ment. 

17  (22)     Secretary.— The    term  "Secretary" 

18  means  the  Secretary  of  Health  and  Human  Sendees. 

19  (23)  Signed. — The  term  "signed"  refers  to 

20  documentation  of  assent  in  any  medium,  whether 

21  ink,  digital  or  biometric  signatures,  or  recorded  oral 

22  authorizations. 

23  (24)  State.— The  term  "State"  includes  the 

24  District  of  Columbia,  Puerto  Rico,  the  Virgin  Is- 
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1  lands,  Guam,  American  Samoa,  and  the  Northern 

2  Mariana  Islands. 

3  (25)    Treatment. — The    term  "treatment" 

4  means  the  provision  of  health  care  by  a  health  care 

5  provider. 

6  (26)  Writing/written. — The  term  "writing" 
means  any  form  of  documentation,  whether  paper, 
electronic,  digital,  biometric  or  tape  recorded.  The 
term  "written"  includes  paper,  electronic,  digital,  bi- 

10  ometric  and  tape-recorded  formats. 

11  TITLE  I— INDIVIDUAL'S  RIGHTS 

12  Subtitle  A — Review   of  Protected 

13  Health  Information  by  Subjects 

14  of  the  Information 

15  SEC.    101.   INSPECTION   AND   COPYING   OF  PROTECTED 

16  HEALTH  INFORMATION. 

17  (a)  General  Rules. — 

18  (1)  Compliance  with  section. — At  the  re- 

19  quest  of  an  individual  who  is  the  subject  of  protected 

20  health  information  and  except  as  provided  in  sub- 

21  section  (c),  a  health  care  provider,  a  health  plan, 

22  employer,  life  insurer,  school,  or  university  shall  ar- 

23  range  for  inspection  or  copying  of  protected  health 

24  information   concerning   the   individual,  including 
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1  records  created  under  section  102,  as  provided  for  in 

2  this  section. 

3  (2)  Availability  of  information  through 

4  originating  provider. — Protected  health  informa- 

5  tion  that  is  created  or  received  by  a  health  plan  or 

6  health  care  provider  as  part  of  treatment  or  pay- 

7  ment  shall  be  made  available  for  inspection  or  copy- 

8  ing  as  provided  for  in  this  title  through  the  origi- 

9  nating  provider. 

10  (3)  Other  entities. — An  employer,  life  hi- 
ll surer,  school,  or  university  that  creates  or  receives 

12  protected  health  information  in  performing  any  func- 

13  tion  other  than  providing  treatment,  payment,  or 

14  health  care  operations  with  respect  to  the  individual 

15  who  is  the  subject  of  such  information,  shall  make 

16  such  information  available  for  inspection  or  copying 

17  as  provided  for  in  this  title,  or  through  any  provider 

18  designated  by  the  individual. 

19  (4)  Procedures. — The  person  providing  ac- 

20  cess  to  information  under  this  title  may  set  forth  ap- 

21  propriate  procedures  to  be  followed  for  such  inspec- 

22  tion  or  copying  and  may  require  an  individual  to  pay 

23  reasonable  costs  associated  with  such  inspection  or 

24  copying. 
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1  (b)  Special  Circumstances. — If  an  originating 

2  provider,  its  agent,  or  contractor  no  longer  maintains  the 

3  protected  health  information  sought  by  an  individual  pur- 

4  suant  to  subsection  (a),  a  health  plan  or  another  health 

5  care  provider  that  maintains  such  information  shall  ar- 

6  range  for  inspection  or  copying. 

7  (c)  Exceptions. — Unless  ordered  by  a  court  of  com- 

8  petent  jurisdiction,  a  person  acting  pursuant  to  subsection 

9  (a)  or  (b)  is  not  required  to  permit  the  inspection  or  copy- 

10  ing  of  protected  health  information  if  any  of  the  following 

1 1  conditions  are  met: 


12  (1)    ENDANGERMENT   TO   LIFE   OR   SAFETY. — 

13  The  person  determines  that  the  disclosure  of  the  in- 
I  4  formation  could  reasonably  be  expected  to  endanger 

1 5  the  life  or  physical  safety  of  any  individual. 

16  (2)  Confidential  source. — The  information 

17  identifies,  or  could  reasonably  lead  to  the  identifica- 

18  tion  of,  a  person  who  provided  information  under  a 

19  promise  of  confidentiality  to  a  health  care  provider 

20  concerning  the  individual  who  is  the  subject  of  the 

21  information. 

22  (3)  Information  compiled  in  anticipation 

23  of  or  in  connection  with  a  fraud  ixvestiga- 

24  TION  OR  litigation. — The  information  is  compiled 

25  principally — 
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1  (A)  in  anticipation  of  or  in  connection  with 

2  a  fraud  investigation,  an  investigation  of  mate- 

3  rial  misrepresentation  in  connection  with  an  in- 

4  surance  policy,  a  civil,  criminal,  or  administra- 

5  tive  action  or  proceeding;  or 

6  (B)  for  use  in  such  action  or  proceeding. 

7  (4)  Investigational  information. — The  pro- 

8  tected  health  information  was  created,  received  or 

9  maintained  by  a  health  researcher  as  provided  in 

10  section  208. 

11  (d)  Denial  of  a  Request  for  Inspection  or 


12  Copying. — If  a  person  described  in  subsection  (a)  or  (b) 

1 3  denies  a  request  for  inspection  or  copying  pursuant  to  sub- 

14  section  (c),  the  person  shall  inform  the  individual  in  writ- 

15  ing  of — 


16  (1)  the  reasons  for  the  denial  of  the  request  for 

17  inspection  or  copying; 

18  (2)  the  availability  of  procedures  for  further  re- 

19  view  of  the  denial;  and 

20  (3)  the  individual's  right  to  file  with  the  person 

21  a  concise  statement  setting  forth  the  request  for  in- 

22  spection  or  copying. 

23  (e)  Statement  Regarding  Request. — If  an  indi- 


24  vidual  has  filed  a  statement  under  subsection  (d)(3),  the 
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1  person  in  any  subsequent  disclosure  of  the  portion  of  the 

2  information  requested  under  subsection  (a)  or  (b) — 


3  (1)  shall  include  a  notation  concerning  the  indi- 

4  vidual's  statement;  and 

5  (2)  may  include  a  concise  statement  of  the  rea- 

6  sons  for  denying  the  request  for  inspection  or  copy- 

7  ing. 

8  (f)  Inspection  and  Copying  of  Segregable  Por- 


9  TION. — A  person  described  in  subsection  (a)  or  (b)  shall 

10  permit  the  inspection  and  copying  of  any  reasonably  seg- 

11  regable  portion  of  a  record  after  deletion  of  any  portion 

12  that  is  exempt  under  subsection  (c). 

13  (g)  Deadline. — A  person  described  in  subsection  (a) 

14  or  (b)  shall  comply  with  or  deny,  in  accordance  with  sub- 

15  section  (d),  a  request  for  inspection  or  copying  of  pro- 

16  tected  health  information  under  this  section  not  later  than 

17  60  days  after  the  date  on  which  the  person  receives  the 

18  request. 


19  (h)  Rules  of  Construction. — 

20  (1)  Agents. — An  agent  of  a  person  described 

21  in  subsection  (a)  or  (b)  shall  not  be  required  to  pro- 

22  vide  for  the  inspection  and  copying  of  protected 

23  health  information,  except  where — 

24  (A)  the  protected  health  information  is  re- 

25  tained  by  the  agent;  and 
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1  (B)  the  agent  has  been  asked  in  writing  by 

2  the  person  involved  to  fulfill  the  requirements  of 

3  this  section. 

4  (2)    NO    REQUIREMENT    FOR    HEARING. — This 

5  section  shall  not  be  construed  to  require  a  person 

6  described  in  subsection  (a)  or  (b)  to  conduct  a  for- 

7  mal,  informal,  or  other  hearing  or  proceeding  con- 

8  cerning  a  request  for  inspection  or  copying  of  pro- 

9  tected  health  information. 

10  SEC.  102.  AMENDMENT  OF  PROTECTED  HEALTH  INFORMA- 

1 1  TION. 

12  (a)  In  General. — Protected  health  information  shall 


13  be  subject  to  amendment  as  provided  for  in  this  section. 

14  Protected  health  information  that  is  created  or  received 

15  by  a  health  plan  or  health  care  provider  as  part  of  treat- 

16  ment  or  payment  shall  be  subject  to  amendment  as  pro- 

17  vided  in  this  section  upon  request  to  the  originating  pro- 

18  vider.  Except  as  provided  in  subsection  (b),  not  later  than 

19  45  days  after  the  date  on  which  an  originating  provider, 

20  employer,  life  insurer,  school,  or  university  receives  from 

21  an  individual  a  request  in  writing  to  amend  protected 

22  health  information,  such  person  shall— 

23  (1)  make  the  amendment  requested; 

24  (2)  inform  the  individual  of  the  amendment 

25  that  has  been  made;  and 
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1  (3)  inform  any  person  identified  by  the  indi- 

2  vidual  in  the  request  for  amendment  and — 

3  (A)  who  is  not  an  officer,  employee,  or 

4  agent  of  the  person;  and 

5  (B)  to  whom  the  unamended  portion  of  the 

6  information  was  disclosed  within  the  previous 

7  year  by  sending  a  notice  to  the  individual's  last 

8  known  address  that  there  has  been  a  sub- 

9  stantive  amendment  to  the  protected  health  in- 

10  formation  of  such  individual. 

11  (b)  Special  Circumstances. — If  an  originating 


12  provider,  its  agent,  or  contractor  no  longer  maintains  the 

13  protected  health  information  sought  to  be  amended  by  an 

14  individual  pursuant  to  subsection  (a),  a  health  plan  or  an- 

15  other  health  care  provider  that  maintains  such  informa- 

16  tion  may  arrange  for  amendment  consistent  with  this  sec- 

17  tion. 


18  (c)  Refusal  To  Amend. — If  a  person  described  in 

19  subsection  (a)  refuses  to  make  the  amendment  requested 

20  under  such  subsection,  the  person  shall  inform  the  indi- 

21  vidual  in  writing  of — 

22  (1)  the  reasons  for  the  refusal  to  make  the 

23  amendment; 

24  (2)  the  availability  of  procedures  for  further  re- 

25  view  of  the  refusal;  and 
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1  (3)  the  procedures  by  which  the  individual  may 

2  file  with  the  person  a  concise  statement  setting  forth 

3  the  requested  amendment  and  the  individual's  rea- 

4  sons  for  disagreeing  with  the  refusal. 

5  (d)  Statement  of  Disagreement. — If  an  indi- 

6  vidual  has  filed  a  statement  of  disagreement  under  sub- 

7  section  (c)(3),  the  person  involved,  in  any  subsequent  dis- 

8  closure  of  the  disputed  portion  of  the  information — 

9  (1)  shall  include  a  notation  concerning  the  indi- 

10  vidual's  statement;  and 

11  (2)  may  include  a  concise  statement  of  the  rea- 

12  sons  for  not  making  the  requested  amendment. 

13  (e)  Rules  Governing  Agents. — The  agent  of  a 

14  person  described  in  subsection  (a)  shall  not  be  required 

15  to  make  amendments  to  protected  health  information,  ex- 

1 6  cept  where — 

17  (1)  the  protected  health  information  is  retained 

18  by  the  agent;  and 

19  (2)  the  agent  has  been  asked  in  writing  by  such 

20  person  to  fulfill  the  requirements  of  this  section. 

21  (f)  Repeated  Requests  for  Amendments. — If  a 

22  person  described  in  subsection  (a)  receives  a  request  for 

23  an  amendment  of  information  as  provided  for  in  such  sub- 

24  section  and  a  statement  of  disagreement  has  been  filed 

25  pursuant  to  subsection  (d),  the  person  shall  inform  the 
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1  individual  of  such  filing  and  shall  not  be  required  to  carry 

2  out  the  procedures  required  under  this  section. 


3  (g)  Rules  of  Construction. — This  section  shall 

4  not  be  construed  to — 

5  (1)  require  that  a  person  described  in  sub- 

6  section  (a)  conduct  a  formal,  informal,  or  other 

7  hearing  or  proceeding  concerning  a  request  for  an 

8  amendment  to  protected  health  information; 

9  (2)  require  a  provider  to  amend  an  individual's 

10  protected  health  information  as  to  the  type,  dura- 

11  tion,  or  quality  of  treatment  the  individual  believes 

12  he  or  she  should  have  been  provided;  or 

13  (3)  permit  any  deletions  or  alterations  of  the 

14  original  information. 

1 5  SEC.  103.  NOTICE  OF  CONFIDENTIALITY  PRACTICES. 

16  (a)  Preparation  of  Written  Notice. — A  health 

17  care  provider,  health  plan,  health  oversight  agency,  public 


18  health  authority,  employer,  life  insurer,  health  researcher, 

19  school,  or  university  shall  post  or  provide,  in  writing  and 

20  in  a  clear  and  conspicuous  manner,  notice  of  the  person's 

21  confidentiality  practices,  that  shall  include — 


22  (1)  a  description  of  an  individual's  rights  with 

23  respect  to  protected  health  information; 

24  (2)  the  uses  and  disclosures  of  protected  health 

25  information  authorized  under  this  Act; 
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1  (3)  the  procedures  for  authorizing  disclosures  of 

2  protected  health  information  and  for  revoking  such 

3  authorizations; 

4  (4)  the  procedures  established  by  the  person  for 

5  the  exercise  of  the  individual's  rights;  and 

6  (5)  the  right  to  obtain  a  copy  of  the  notice  of 

7  the  confidentiality  practices  required  under  this  Act. 

8  (b)  Model  Notice. — The  Secretary,  after  notice 


9  and  opportunity  for  public  comment,  shall  develop  and  dis- 

10  seminate  model  notices  of  confidentiality  practices,  using 

1 1  the  advice  of  the  National  Committee  on  Vital  Health  Sta- 

12  tistics,  for  use  under  this  section.  Use  of  the  model  notice 

13  shall  serve  as  an  absolute  defense  against  claims  of  receiv- 

1 4  ing  inappropriate  notice. 


15  Subtitle  B — Establishment  of 

16  Safeguards 

1 7  SEC.  111.  ESTABLISHMENT  OF  SAFEGUARDS. 

18  (a)  In  General. — A  health  care  provider,  health 


19  plan,  health  oversight  agency,  public  health  authority,  em- 

20  ployer,  life  insurer,  health  researcher,  law  enforcement  of- 

21  ficial,  school,  or  university  shall  establish  and  maintain  ap- 

22  propriate  administrative,  technical,  and  physical  safe- 

23  guards  to  protect  the  confidentiality,  security,  accuracy, 

24  and  integrity  of  protected  health  information  created,  re- 


•HR  2470  IH 


24 

1  ceived,  obtained,  maintained,  used,  transmitted,  or  dis- 

2  posed  of  by  such  person. 

3  (b)  Fundamental  Safeguards. — The  safeguards 

4  established  pursuant  to  subsection  (a)  shall  address  the 

5  following  factors: 

6  (1)  The  need  for  protected  health  information 

7  and  whether  the  purpose  can  be  accomplished  with 

8  nonidentifiable  health  information. 

9  (2)  Appropriate  procedures  for  maintaining  the 

10  security  and  assuring  appropriate  use  of  any  key 

11  used  in  creating  nonidentifiable  health  information. 

12  (3)  The  categories  of  personnel  who  will  have 

13  access  to  protected  health  information  and  appro- 

14  priate  training,  supervision  and  sanctioning  of  such 

15  persons  with  respect  to  their  use  of  protected  health 

16  information   and   adherence   to   established  safe- 

17  guards. 

18  (4)  Appropriate  limitations  on  access  to  indi- 

19  vidual  identifiers. 

20  (5)  Appropriate  mechanism  for  limiting  disclo- 

21  sures  to  the  protected  health  information  necessary 

22  to  respond  to  the  request  for  disclosure. 

23  (6)  Procedures  for  handling  requests  for  pro- 

24  tected  health  information  by  persons  other  than  the 

25  individual  who  is  the  subject  of  such  information,  in- 
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1  eluding  but  not  limited  to  relatives  and  affiliates  of 

2  such  individual,  law  enforcement  officials,  parties  in 

3  civil  litigation,  health  care  providers,  and  health 

4  plans. 

5  SEC.  112.  ACCOUNTING  FOR  DISCLOSURES. 

6  (a)  In  General. — A  health  care  provider,  health 

7  plan,  health  oversight  agency,  public  health  authority,  era- 

8  ployer,  life  insurer,  health  researcher,  law  enforcement  of- 

9  ficial,  school,  or  university  shall  establish  and  maintain  a 

10  process  for  documenting  its  disclosures  of  protected  health 

11  information  by  recording  the  name  and  address  or  other 

12  means  of  contacting  the  recipient,  and  the  purpose  of  the 

13  disclosure. 

14  (b)  Record  of  Disclosure. — A  record  established 

15  under  subsection  (a)  shall  be  maintained  for  not  less  than 

16  7  years. 

17  (c)  Identification  of  Disclosed  Information  as 

18  Protected  Health  Information. — Except  as  other- 

19  wise  provided  in  this  title,  protected  health  information 

20  shall  be  clearly  identified  as  protected  health  information 

21  that  is  subject  to  this  Act. 
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1  TITLE  II— RESTRICTIONS  ON 

2  USE  AND  DISCLOSURE 

3  SEC.  201.  GENERAL  RULES  REGARDING  USE  AND  DISCLO- 

4  SURE. 

5  (a)  Disclosure  Prohibited. — A  health  care  pro- 

6  vider,  health  plan,  health  oversight  agency,  public  health 

7  authority,  employer,  life  insurer,  health  researcher,  law  en- 

8  forcement  official,  school,  or  university,  or  any  of  their 

9  agents  may  not  disclose  protected  health  information  ex- 

10  cept  as  authorized  under  this  Act  or  as  authorized  by  the 

1 1  individual  who  is  the  subject  of  such  information. 

12  (b)  Applicability  to  Agents. — A  person  described 

13  in  subsection  (a)  may  use  an  agent,  including  a  contractor, 

14  to  carry  out  an  otherwise  lawful  activity  using  protected 

15  health  information  maintained  by  such  person,  provided 

16  that  the  person  specifies  the  activities  for  which  the  agent 

17  is  authorized  and  prohibits  the  agent  from  using  or  dis- 

18  closing  protected  health  information  for  purposes  other 

19  than  carrying  out  the  specified  activities. 

20  (1)  Notwithstanding  any  other  provision  of  this 

21  Act,  a  person  who  has  limited  the  activities  of  an 

22  agent  as  provided  in  this  subsection,  shall  not  be  lia- 

23  ble  for  the  actions  or  disclosures  of  the  agent  that 

24  are  not  in  fulfillment  of  the  agent's  specified  activi- 

25  ties. 
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1  (2)  An  agent  who  receives  protected  health  in- 

2  formation  from  a  person  described  in  subsection  (a) 

3  shall  in  its  own  right  be  subject  to  the  applicable 

4  provisions  of  this  Act. 

5  (c)  Creation  of  Nonidbntifiable  Health  In- 

6  FORMATION. — A  person  described  in  subsection  (a)  may 

7  use  protected  health  information  for  the  purpose  of  cre- 

8  ating  nonidentifiable  health  information. 

9  (d)  Individual  Authorization. — To  be  valid,  an 

10  authorization  to  disclose  protected  health  information 

1 1  under  this  title  shall — 

12  (1)  identify  the  individual  who  is  the  subject  of 

13  the  protected  health  information; 

14  (2)  describe  the  nature  of  the  information  to  be 

15  disclosed; 

16  (3)  identify  the  type  of  person  to  whom  the  in- 

17  formation  is  to  be  disclosed; 

18  (4)  describe  the  purpose  of  the  disclosure; 

19  (5)  be  subject  to  revocation  by  the  individual 

20  and  indicate  that  the  authorization  is  valid  until  rev- 

21  ocation  by  the  individual;  and 

22  (6)  be  in  writing,  dated,  and  signed  by  the  indi- 

23  vidual,  a  family  member  or  other  authorized  rep- 

24  resentative. 
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1  (e)  Manipulation  of  Nonidentifiable  Health 

2  Information. — Any  person  who  manipulates  nonidentifi- 

3  able  health  information  in  order  to  identify  an  individual, 

4  or  uses  a  key  to  identify  an  individual  without  authoriza- 

5  tion,  is  deemed  to  have  disclosed  protected  health  informa- 

6  tion. 

7  SEC.  202.  GENERAL  RULES  REGARDING  USE  AND  DISCLO- 

8  SURE  OF  HEALTH  CARE  INFORMATION. 

9  (a)  In  General. — An  individual  who  furnishes  pro- 

10  tected  health  information  in  the  context  of  obtaining 

1 1  health  care  or  health  care  benefits  has  a  justifiable  expec- 

12  tation  that  such  information  will  not  be  misused  and  that 

1 3  its  confidentiality  with  be  maintained.  Protected  health  in- 

14  formation  in  possession  or  control  of  a  health  care  pro- 

1 5  vider  or  health  plan  shall  be  available — 


16  (1)  for  use  by  a  health  plan  or  a  health  care 

17  provider  in  furnishing  health  care  to  an  individual 

18  who  is  the  subject  of  such  information,  including  ar- 

19  rangements  for  treatment,  payment,  and  health  care 

20  operations;  and 

21  (2)  for  use  in  health  research  that  is  not  incon- 

22  sistent  with  the  requirements  of  other  applicable 

23  Federal  laws. 

24  (3)  Limitation. — For  purposes  of  subsection 

25  (b),  use  of  protected  health  information  in  activities 
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1  described  in  this  subsection  is  not  a  disclosure  of 

2  such  information  by  persons  lawfully  engaged  in 

3  such  activities. 

4  (b)  PROHIBITION. — A  health  care  provider,  health 


5  plan,  health  oversight  agency,  public  health  authority,  em- 

6  ployer,  health  or  life  insurer,  health  researcher,  law  en- 

7  forcement  official,  school,  or  university  may  not  disclose 

8  protected  health  information  except  as  authorized  under 

9  this  title. 


10  (1)  Rules  of  construction. — 

1 1  (A)  Disclosure  of  health  information  in  the 

12  form  of  nonidentifiable  health  information  shall 

13  not  be  construed  as  a  disclosure  of  protected 

14  health  information. 

15  (B)  Arrangements  by  a  person  and  its 

16  agents  for  carrying  out  an  authorized  use  of 

17  protected  health  information,  including  uses  au- 

18  thorized  under  subsection  (a),  shall  not  be  con- 

19  sidered  disclosures  for  purposes  of  this  Act, 

20  provided  that  the  use  is  consistent  with  the  pur- 

21  poses  for  which  the  information  was  lawfully 

22  obtained  by  such  person. 

23  (C)  Nothing  in  this  title  shall  be  construed 

24  to  require  disclosure  by  a  health  care  provider 

25  or  a  health  plan. 


HR  2470  IH 


30 

1  (2)  Disclosure  by  agents. — An  agent  who 
receives  protected  health  information  from  a  person 

3  described  in  subsection  (b)  shall  be  subject  to  all 

4  rules   of  disclosure   and   safeguard  requirements 

5  under  this  title. 

6  (c)  Scope  of  Disclosure. — Every  disclosure  of  pro- 

7  tected  health  information  by  a  person  under  this  title  shall 

8  be  limited  to  the  information  necessary  to  accomplish  the 

9  purpose  for  which  the  information  is  disclosed. 

10  (d)  Identification  of  Disclosed  Information 

11  as  Protected  Health  Information. — Except  as  oth- 

12  erwise  provided  in  this  title,  protected  health  information 

13  may  not  be  disclosed  unless  such  information  is  clearly 

14  identified  as  protected  health  information  that  is  subject 

15  to  this  Act. 

16  (e)  Creation  of  Nonidentifiable  Health  In- 

17  FORMATION. — A  person  described  in  subsection  (b)  may 

18  use  protected  health  information  for  the  purpose  of  cre- 

1 9  ating  nonidentifiable  health  information,  if  the  person  pro- 

20  hibits  the  employee  or  agent  creating  the  nonidentifiable 

21  health  information  from  using  or  disclosing  the  protected 

22  health  information  for  purposes  other  than  the  sole  pur- 

23  pose  of  creating  nonidentifiable  health  information  as 

24  specified  by  the  person. 
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1  (f)  Disclosure  Using  the  Key. — Any  person  who 

2  manipulates  nonidentifiable  health  information  in  order  to 

3  identity  an  individual,  without  lawfully  using  the  key,  is 

4  deemed  to  have  disclosed  protected  health  information. 

5  SEC.  203.  AUTHORIZATIONS  FOR  USE  OR  DISCLOSURE  OF 

6  PROTECTED  HEALTH  INFORMATION  OTHER 

7  THAN  FOR  TREATMENT,  PAYMENT,  HEALTH 

8  CARE  OPERATIONS,  OR  HEALTH  RESEARCH. 

(a)  In  General. — An  individual  who  is  the  subject 

10  of  protected  health  information  may  authorize  any  person 

11  to  disclose  or  use  such  information  for  any  purpose.  An 

12  authorization  under  this  section  is  not  valid  if  its  signing 

13  by  the  individual  is  a  prerequisite  for  signing  an  authoriza- 

14  tion  under  section  202. 

15  (b)  Written  Authorizations. — A  person  may  dis- 

16  close  and  use  protected  health  information,  for  purposes 

17  other  than  those  authorized  under  section  202,  pursuant 

18  to  a  written  authorization  signed  by  the  individual  who 

19  is  the  subject  of  the  information  that  meets  the  require- 

20  ments  of  section  201(d).  An  authorization  under  this  sec- 

21  tion  shall  be  separate  from  any  authorization  provided 

22  under  section  202. 

23  (c)  Limitation  on  Authorizations. — Xotwith- 

24  standing  any  other  provision  of  Federal  law,  life  insurers, 

25  and  other  entities  issuing  disability  income  or  long-term 
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1  care  insurance  under  the  laws  of  any  State,  shall  meet 

2  the  requirements  of  section  201(a)  with  respect  to  an  indi- 

3  vidual  for  purposes  of  life,  disability  income  or  long-term 

4  care  insurance,  by  obtaining  authorization  of  such  indi- 

5  vidual  under  this  section  203. 

6  (1)  Notwithstanding  subsection  (d),  an  author- 

7  ization  obtained  in  the  ordinary  course  of  business 

8  by  a  life  insurer  under  this  section  shall  remain  in 

9  effect  during  the  term  of  the  individual's  insurance 

10  coverage  and  as  may  be  necessary  for  the  issuer  to 

1 1  meet  its  obligations  with  respect  to  such  individual 

12  under  the  terms  of  the  policy,  plan  or  program. 

13  (2)  An  authorization  obtained  from  an  indi- 

14  vidual  in  connection  with  an  application  that  does 

15  not  result  in  coverage  with  respect  to  such  individual 

16  shall  expire  the  earlier  of  the  date  specified  in  the 

17  individual's  authorization  or  the  effective  date  of  any 

18  revocation  under  subsection  (d). 

19  (d)  Revocation  or  Amendment  of  Authoriza- 

20  TION.— 

21  (1)  In  general. — Except  as  otherwise  pro- 

22  vided  in  this  section,  an  individual  may  revoke  or 

23  amend  an  authorization  described  in  this  section  by 

24  providing  written  notice  to  the  person  who  obtained 

25  such  authorization  unless  the  disclosure  that  is  the 


•HR  2470  IH 


33 

1  subject  of  the  authorization  is  related  to  the  evalua- 

2  tion  of  an  application  for  life  insurance  coverage  or 

3  a  claim  for  life  insurance  benefits. 

4  (2)  Notice  of  revocation. — A  person  that 

5  discloses  protected  health  information  pursuant  to 

6  an  authorization  that  has  been  revoked  under  para- 

7  graph  (1)  shall  not  be  subject  to  any  liability  or  pen- 

8  alty  under  this  title  if  that  person  had  no  actual  no- 

9  tice  of  the  revocation. 

10  (e)  Disclosure  for  Purpose  Only. — A  recipient 


11  of  protected  health  information  pursuant  to  an  authoriza- 

12  tion  under  section  203(b)  may  disclose  such  information 

13  only  to  carry  out  the  purposes  for  which  the  information 

1 4  was  authorized  to  be  disclosed. 


15  (f)  Model  Authorizations. — 

16  (1)  The  Secretary,  after  notice  and  opportunity 

17  for  public  comment,  shall  develop  and  disseminate 

18  model  written  authorizations  of  the  type  described  in 

19  subsection  (b).  The  Secretary  shall  consult  with  the 

20  National  Committee  on  Vital  and  Health  Statistics 

21  in  developing  such  authorizations. 

22  (2)  Notwithstanding  paragraph  (1),  the  insur- 

23  ance  commissioner  of  the  State  of  domicile  of  a  life 

24  insurer  may  exercise  exclusive  authority  in  devel- 
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1  oping  and  disseminating  model  written  authoriza- 

2  tions  for  purposes  of  subsection  (c). 

3  (3)  Any  authorization  obtained  using  a  model 

4  authorization  promulgated  under  this  subsection 

5  shall  be  deemed  to  meet  the  authorization  require- 

6  ments  of  this  section. 

7  (g)  Authorizations  for  Research. — This  section 

8  applies  to  health  research  only  where  such  research  is  not 

9  governed  by  section  208. 

10  SEC.  204.  NEXT  OF  KIN  AND  DIRECTORY  INFORMATION. 

1 1  (a)  Next  of  Kin. — A  health  care  provider,  or  a  per- 


12  son  who  receives  protected  health  information  under  sec- 

13  tion  205,  may  disclose  protected  health  information  re- 

14  garding  an  individual  to  the  individual's  spouse,  parent, 

15  child,  sister,  brother,  next  of  kin,  or  to  another  person 

1 6  whom  the  individual  has  identified,  if — 


17  (1)  the  individual  who  is  the  subject  of  the 

1 8  information — 

19  (A)  has  been  notified  of  the  individual's 

20  right  to  object  to  such  disclosure  and  the  indi- 

21  vidual  has  not  objected  to  the  disclosure;  or 

22  (B)  is  in  a  physical  or  mental  condition 

23  such  that  the  individual  is  not  capable  of  object- 

24  ing,  and  there  are  no  prior  indications  that  the 

25  individual  would  object; 
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1  (2)  the  information  disclosed  relates  to  health 

2  care  currently  being  provided  to  that  individual;  and 

3  (3)  the  disclosure  of  the  protected  health  infor- 

4  mation  is  consistent  with  good  medical  or  profes- 

5  sional  practice. 

6  (b)  Directory  Information. — 

7  (1)  Disclosure. — 

8  (A)  In  general. — Except  as  provided  in 

9  paragraph  (2),  a  person  described  in  subsection 

10  (a)  may  disclose  the  information  described  in 

11  subparagraph  (B)  to  any  person  if  the  indi- 

12  vidual  who  is  the  subject  of  the  information — 

13  (i)  has  been  notified  of  the  individ- 

14  ual's  right  to  object  and  the  individual  has 

15  not  objected  to  the  disclosure;  or 

16  (ii)  is  in  a  physical  or  mental  condi- 

17  tion  such  that  the  individual  is  not  capable 

18  of  objecting,  the  individual's  next  of  kin 

19  has  not  objected,  and  there  are  no  prior  in- 

20  dications  that  the  individual  would  object. 

21  (B)  INFORMATION. — Information  described 

22  in  this  subparagraph  is  information  that  con- 

23  sists  only  of  1  or  more  of  the  following  items: 

24  (i)  The  name  of  the  individual  who  is 

25  the  subject  of  the  information. 
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1  (ii)  The  general  health  status  of  the 

2  individual,  described  as  critical,  poor,  fair, 

3  stable,  or  satisfactory  or  in  terms  denoting 

4  similar  conditions. 

5  (iii)  The  location  of  the  individual  on 

6  premises  controlled  by  a  provider. 

7  (2)  Exception.— 

8  (A)     Location. — Paragraph  (l)(B)(iii) 

9  shall  not  apply  if  disclosure  of  the  location  of 

10  the  individual  would  reveal  specific  information 

1 1  about  the  physical  or  mental  condition  of  the 

12  individual,  unless  the  individual  expressly  au- 

13  thorizes  such  disclosure. 

14  (B)  Directory  or  next  of  kin  infor- 

15  mation. — A  disclosure  may  not  be  made  under 
I  6  this  section  if  the  health  care  provider  involved 

7  has  reason  to  believe  that  the  disclosure  of  di- 

18  rectory  or  next  of  kin  information  could  lead  to 

19  the  physical  or  mental  harm  of  the  individual, 

20  unless  the  individual  expressly  authorizes  such 

21  disclosure. 

22  SEC.  205.  EMERGENCY  CIRCUMSTANCES. 

23  Any  person  who  creates  or  receives  protected  health 

24  information  under  this  title  may  disclose  protected  health 

25  information  in  emergency  circumstances  when  necessary 
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1  to  protect  the  health  or  safety  of  the  individual  who  is 

2  the  subject  of  such  information  from  serious,  imminent 

3  harm.  No  disclosure  made  in  the  good  faith  belief  that 

4  the  disclosure  was  necessary  to  protect  the  health  or  safety 

5  of  an  individual  from  serious,  imminent  harm  shall  be  in 

6  violation  of,  or  punishable  under,  this  Act. 

7  SEC.  206.  OVERSIGHT. 

8  (a)  In  General. — Any  person  may  disclose  pro- 

9  tected  health  information  to  an  accrediting  body  or  public 

10  health  authority,  a  health  oversight  agency,  or  a  State  in- 

1 1  surance  department,  for  purposes  of  an  oversight  function 

1 2  authorized  by  law. 

13  (b)  Protection  From  Further  Disclosure. — 

14  Protected  health  information  disclosed  under  this  section 

15  shall  not  be  further  disclosed  by  an  accrediting  body  or 

16  public  health  authority,  a  health  oversight  agency,  a  State 

1 7  insurance  department,  or  their  agents  for  any  purpose  un- 

18  related  to  the  authorized  oversight  function.  Notwith- 

19  standing  any  other  provision  of  law,  protected  health  in- 

20  formation  disclosed  under  this  section  shall  be  protected 

21  from  further  disclosure  by  an  accrediting  body  or  public 

22  health  authority,  a  health  oversight  agency,  a  State  insur- 

23  ance  department,  or  their  agents  pursuant  to  a  subpoena, 

24  discovery  request,  introduction  as  evidence,  testimony,  or 

25  otherwise. 
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1  (c)  Authorization  by  a  Supervisor, — For  pur- 

2  poses  of  this  section,  the  individual  with  authority  to  au- 

3  thorize  the  oversight  function  involved  shall  provide  to  the 

4  person  described  in  subsection  (a)  a  statement  that  the 

5  protected  health  information  is  being  sought  for  a  legally 

6  authorized  oversight  function. 

7  (d)  Use  in  Action  Against  Individuals. — Pro- 

8  tected  health  information  about  an  individual  that  is  dis- 

9  closed  under  this  section  may  not  be  used  by  the  recipient 

10  in,  or  disclosed  by  the  recipient  to  any  person  for  use  in, 

11  an  administrative,  civil,  or  criminal  action  or  investigation 

12  directed  against  the  individual  who  is  the  subject  of  the 

13  protected  health  information  unless  the  action  or  inves- 

1 4  tigation  arises  out  of  and  is  directly  related  to — 

15  (1)  the  receipt  of  health  care  or  payment  for 

16  health  care;  or 

17  (2)  a  fraudulent  claim  related  to  health  care,  or 

18  a  fraudulent  or  material  misrepresentation  of  the 

19  health  of  the  individual. 

20  SEC.  207.  PUBLIC  HEALTH. 

21  (a)  In  General. — A  health  care  provider,  health 

22  plan,  public  health  authority,  health  researcher,  employer, 

23  life  insurer,  law  enforcement  official,  school,  or  university 

24  may  disclose  protected  health  information  to  a  public 
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1  health  authority  or  other  person  authorized  by  law  for  use 

2  in  a  legally  authorized — 


3  (1)  disease  or  injury  report; 

4  (2)  public  health  surveillance; 

5  (3)  public  health  investigation  or  intervention; 

6  (4)  vital  statistics  report,  such  as  birth  or  death 

7  information; 

8  (5)  report  of  abuse  or  neglect  information  about 

9  any  individual;  or 

10  (6)  report  of  information  concerning  a  commu- 

1 1  nicable  disease  status. 

12  (b)  Identification  of  Deceased  Individual. — 


13  Any  person  may  disclose  protected  health  information  if 

14  such  disclosure  is  necessary  to  assist  in  the  identification 

15  or  safe  handling  of  a  deceased  individual. 

16  (c)    Requirement    To    Release  Protected 

17  Health  Information  to  Coroners  and  Medical 

18  Examiners. — 


19  (1)  In  GENERAL. — When  a  Coroner  or  Medical 

20  Examiner  or  their  duly  appointed  deputies  seek  pro- 

21  tected  health  information  for  the  purpose  of  inquiry 

22  into  and  determination  of,  the  cause,  manner,  and 

23  circumstances  of  a  death,  the  health  care  provider, 

24  health  plan,  health  oversight  agency,  public  health 

25  authority,  employer,  life  insurer,  health  researcher, 
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1  law  enforcement  official,  school,  or  university  in- 

2  volved  shall  provide  the  protected  health  information 

3  to  the  Coroner  or  Medical  Examiner  or  to  the  duly 

4  appointed  deputies  without  undue  delay. 

5  (2)  Production  op  additional  informa- 

6  TION. — If  a  Coroner  or  Medical  Examiner  or  their 

7  duly  appointed  deputies  receives  health  information 

8  from  a  person  referred  to  in  paragraph  (1),  such 

9  health  information  shall  remain  as  protected  health 
10  information  unless  the  health  information  is  at- 
1  1  tached  to  or  otherwise  made  a  part  of  a  Coroner's 

12  or  Medical  Examiner's  official  report,  in  which  case 

13  it  shall  no  longer  be  protected. 

14  (3)  Exemption. — Health  information  attached 

15  to  or  otherwise  made  a  part  of  a  Coroner's  or  Med- 

16  ical  Examiner's  official  report,  shall  be  exempt  from 

17  the  provisions  of  this  Act. 

1 8  SEC.  208.  HEALTH  RESEARCH. 

19  (a)  In  General. — A  person  lawfully  in  possession  of 

20  protected  health  information  may  disclose  such  informa- 

21  tion  to  a  health  researcher  under  any  of  the  following  ar- 

22  rangements: 

23  (1)  Research  governed  by  the  common 

24  RULE. — A  person  identified  in  subsection  (a)  may 

25  disclose  protected  health  information  to  a  health  re- 
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1  searcher  if  the  research  project  has  been  approved 

2  by  an  institutional  review  board  pursuant  to  the  re- 

3  quirements  of  the  common  rule  as  implemented  by 

4  a  Federal  agency. 

5  (2)  Analyses  of  health  care  records  and 

6  MEDICAL  ARCHIVES. — A  person  identified  in  sub- 

7  section  (a)  may  disclose  protected  health  information 

8  to  a  health  researcher  if — 

9  (A)  consistent  with  the  safeguards  estab- 

10  lished  pursuant  to  section  111  and  the  person's 

11  policies  and  procedures  established  under  this 

12  section,  the  health  research  has  been  reviewed 

13  by  a  board,  committee,  or  other  group  formally 

14  designated  by  such  person  to  review  research 

15  programs; 

16  (B)  the  health  research  involves  analysis  of 

17  protected  health  information  previously  created 

18  or  collected  by  the  person; 

19  (C)  the  person  that  maintains  the  pro- 

20  tected  health  information  to  be  used  in  the 

21  analyses  has  in  place  a  written  policy  and  pro- 

22  cedure  to  assure  the  security  and  confidentially 

23  of  protected  health  information  and  to  specify 

24  permissible  and  impermissible  uses  of  such  in- 

25  formation  for  health  research; 
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1  (D)  the  person  that  maintains  the  pro- 

2  tected  health  information  to  be  used  in  the 

3  analyses  enters  into  a  written  agreement  with 

4  the  recipient  health  researcher  that  specifies  the 

5  permissible  and  impermissible  uses  of  the  pro- 

6  tected  health  information  and  provides  notice  to 
the  researcher  that  any  misuse  or  further  dis- 

8  closure  of  the  information  to  other  persons  is 

9  prohibited  and  may  provide  a  basis  for  action 
10  against  the  health  researcher  under  this  Act; 
i  I  and 

12  (E)  the  person  keeps  a  record  of  health  re- 

13  searchers  to  whom  protected  health  information 

14  has  been  disclosed. 

15  (3)  Safety  and  efficacy  reports. — A  per- 

16  son  may  disclose  protected  health  information  to  a 

17  manufacturer  of  a  drug,  biologic  or  medical  device, 

18  in  connection  with  any  monitoring  activity  or  reports 

19  made  to  such  manufacturer  for  use  in  verifying  the 

20  safety  or  efficacy  of  such  manufacturer's  approved 

21  product  in  special  populations  or  for  long-term  use. 

22  (b)  Oversight. — On  the  advice  of  the  National  Com- 


23  mittee  on  Vital  and  Health  Statistics,  the  Secretary  shall 

24  report  to  the  Congress  not  later  than  18  months  after  the 

25  effective  date  of  this  section  concerning  the  adequacy  of 
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1  the  policies  and  procedures  implemented  pursuant  to  sub- 

2  section  (a)(2)  for  protecting  the  confidentiality  of  pro- 

3  tected  health  information  while  promoting  its  use  in  re- 

4  search  concerning  health  care  outcomes,  the  epidemiology 

5  and  etiology  of  diseases  and  conditions  and  the  safety,  effi- 

6  cacy  and  cost  effectiveness  of  health  care  interventions. 

7  Based  on  the  conclusions  of  such  report,  the  Secretary 

8  may  promulgate  model  language  for  written  agreements 

9  deemed  to  comply  with  subsection  (a)(2)(C). 

10  (c)    Statutory    Assurance    of  Confiden- 

1 1  tiality. — 

12  (1)  Protected  health  information  obtained  by  a 

13  health  researcher  pursuant  to  this  section  shall  be 

14  used  and  maintained  in  confidence,  consistent  with 

15  the  confidentiality  practices  established  by  the  health 

16  researcher  pursuant  to  section  111. 

17  (2)  A  recipient  health  researcher  may  not  be 

18  compelled  in  any  Federal,  State,  or  local  civil,  crimi- 

19  nal,  administrative,  legislative,  or  other  proceeding 

20  to  disclose  protected  health  information  created, 

21  maintained  or  received  under  this  section,  provided 

22  that  nothing  in  this  paragraph  shall  be  construed  to 

23  prevent  an  audit  or  lawful  investigation  pursuant  to 

24  the  authority  of  a  Federal  department  or  agency,  of 
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1  a  research  project  conducted,  supported  or  subject  to 

2  regulation  by  such  department  or  agency. 

3  (3)  Notwithstanding  any  other  provision  of  law, 

4  information  disclosed  by  a  health  researcher  to  a 

5  Federal  agency  under  this  subsection  may  not  be 

6  further  used  or  disclosed  by  the  agency  for  a  pur- 
pose unrelated  to  the  agency's  oversight  or  investiga- 

8  tion. 

9  SEC.  209.  DISCLOSURE  IN  CIVIL,  JUDICIAL,  AND  ADMINIS- 

10  TRATWE  PROCEDURES. 

11  (a)  In  General. — A  health  care  provider,  health 

12  plan,  public  health  authority,  employer,  life  insurer,  law 

13  enforcement  official,  school,  or  university  may  disclose 

1 4  protected  health  information — 

15  (1)  pursuant  to  a  discovery  request  or  subpoena 

16  in  a  civil  action  brought  in  a  Federal  or  State  court 

17  or  a  request  or  subpoena  related  to  a  Federal  or 

18  State  administrative  proceeding,  provided  that 

19  (2)  such  discovery  request  or  subpoena  is  made 

20  through  or  pursuant  to  a  court  order  as  provided  for 
7A  in  subsection  (b). 

22  (b)  Court  Orders. — 

23  (1)  Standard  for  issuance. — In  considering 

24  a  request  for  a  court  order  regarding  the  disclosure 

25  of  protected  health  information  under  subsection  (a), 
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1  the  court  shall  issue  such  order  if  the  court  deter- 

2  mines  that  without  the  disclosure  of  such  informa- 

3  tion,  the  person  requesting  the  order  would  be  im- 

4  paired  from  establishing  a  claim  or  defense. 

5  (2)  Requirements. — An  order  issued  under 

6  paragraph  (1)  shall — 

7  (A)  provide  that  the  protected  health  infor- 

8  mation  involved  is  subject  to  court  protection; 

9  (B)  specify  to  whom  the  information  may 

10  be  disclosed; 

11  (C)  specify  that  such  information  may  not 

12  otherwise  be  disclosed  or  used;  and 

13  (D)  meet  any  other  requirements  that  the 

14  court  determines  are  needed  to  protect  the  con- 

15  fidentiality  of  the  information. 

16  (c)  Applicability. — This  section  shall  not  apply  in 


17  a  case  in  which  the  protected  health  information  sought 

18  under  such  discovery  request  or  subpoena  relates  to  a 

19  party  to  the  litigation  or  an  individual  whose  medical  con- 

20  dition  is  at  issue. 

21  (d)  Effect  of  Section. — This  section  shall  not  be 

22  construed  to  supersede  any  grounds  that  may  apply  under 

23  Federal  or  State  law  for  objecting  to  turning  over  the  pro- 

24  tected  health  information. 
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1    SEC.   210.   DISCLOSURE  FOR  LAW  ENFORCEMENT  PUR- 


2  POSES. 

3  (a)  Disclosure. — 

4  (1)  In  general. — A  person  who  receives  pro- 

5  teeted  health  information  pursuant  to  sections  202 

6  through  207,  may  disclose  such  information  to  a 
State  or  Federal  law  enforcement  agency  if  such  dis- 

8  closure  is  pursuant  to — 

9  (A)  a  subpoena  issued  under  the  authority 

10  of  a  grand  jury; 

11  (B)  an  administrative  subpoena  or  sum- 

1 2  mons  or  a  judicial  subpoena  or  warrant  if  the 

13  determination  described  in  paragraph  (2)  has 
I A  been  made; 

1  5  (C)  a  warrant  issued  upon  a  showing  of 

16  probable  cause  if  the  determination  described  in 

17  paragraph  (2)  has  been  made; 

18  (D)  a  Federal  or  state  law  requiring  the 

19  reporting  of  specific  medical  information  to  law 

20  enforcement  authorities; 

21  (E)  a  written  consent  or  waiver  of  privilege 

22  by  an  individual  allowing  access  to  the  individ- 

23  ual's  protected  health  information;  or 

24  (F)  by  other  court  order  if  the  determina- 

25  tion  described  in  paragraph  (2)  has  been  made. 
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1  (2)  Higher  standard  for  disclosure  of 

2  certain  information. — The  determination  under 

3  this  paragraph  is  a  determination,  by  the  court  or 

4  administrative  body  issuing  the  subpoena,  summons, 

5  warrant,  or  order  involved,  that  the  need  of  the  per- 

6  son  requesting  the  disclosure  for  the  information 

7  substantially  outweighs  the  privacy  interest  of  each 

8  individual  whose  health  or  health  care  is  the  subject 

9  of  the  information. 

10  (b)  Redactions. — To  the  extent  practicable  and 

11  consistent  with  the  requirements  of  due  process,  in  the 

12  case  of  information  disclosed  under  subsection  (a)  the 

13  State  or  Federal  law  enforcement  agency  to  which  the  in- 

14  formation  is  disclosed  shall  redact  personal  identifiers 

15  from  protected  health  information  prior  to  the  public  dis- 

16  closure  of  such  information  in  a  judicial  or  administrative 

1 7  proceeding. 

18  (c)  Use  of  Information. — Protected  health  infor- 

19  mation  obtained  by  a  State  or  Federal  law  enforcement 

20  agency  under  subsection  (a)  may  only  be  used  for  purposes 

21  of  a  legitimate  law  enforcement  activity. 

22  (d)  Exception  in  Exigent  Circumstances. — Sub- 

23  section  (a)  shall  not  be  construed  to  limit  or  restrict  the 

24  ability  of  State  or  Federal  law  enforcement  agencies  to 
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1  gain  protected  health  information  if  exigent  circumstances 

2  exist. 

3  SEC.  211.  PAYMENT  CARD  AND  ELECTRONIC  PAYMENT 

4  TRANSACTION. 

5  (a)  Payment  for  Health  Care  Through  Card 

6  OR  Electronic  Means. — If  an  individual  pays  for  health 

7  care  by  presenting  a  debit,  credit,  or  other  payment  card 

8  or  account  number,  or  by  any  other  payment  means,  the 

9  person  receiving  the  payment  may  disclose  to  a  person  de- 

10  scribed  in  subsection  (b)  only  such  protected  health  infor- 

1 1  mation  about  the  individual  as  is  necessary  in  connection 

12  with  activities  described  in  subsection  (b),  including  the 

1 3  processing  of  the  payment  transaction  or  the  billing  or  col- 

14  lection  of  amounts  charged  to,  debited  from,  or  otherwise 

15  paid  by,  the  individual  using  the  card,  number,  or  other 

16  means. 

i  7  (b)  Transaction  Processing. — A  person  who  is  a 

1 8  debit,  credit,  or  other  payment  card  issuer,  a  payment  sys- 

19  tern  operator,  a  financial  institution  participant  in  a  pay- 

20  ment  system  or  is  an  entity  assisting  such  an  issuer,  oper- 

21  ator,  or  participant  in  connection  with  activities  described 

22  in  this  subsection,  may  use  or  disclose  protected  health 

23  information  about  an  individual  in  connection  with — 

24  (1)  the  authorization,  settlement,  billing,  proc- 

25  essing,  clearing,  transferring,  reconciling,  or  collec- 
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1  tion  of  amounts  charged,  debited  or  other-wise  paid 

2  using  a  debit,  credit,  or  other  payment  card  or  ac- 

3  count  number,  or  by  other  payment  means; 

4  (2)  the  transfer  of  receivables,  accounts,  or  in- 

5  terest  therein; 

6  (3)  the  audit  of  the  debit,  credit,  or  other  pay- 

7  ment  information; 

8  (4)  compliance  with  Federal,  State,  or  local  law; 

9  (5)  compliance  with  a  properly  authorized  civil, 

10  criminal,  or  regulatory  investigation  by  Federal, 

11  State,  or  local  authorities  as  governed  by  the  re- 

12  quirements  of  this  section;  or 

13  (6)  fraud  protection,  risk  control,  resolving  cus- 

14  tomer  disputes  or  inquiries,  communicating  with  the 

15  person  to  whom  the  information  relates,  or  reporting 

16  to  consumer  reporting  agencies. 

17  (c)  Specific  Prohibitions. — A  person  described  in 


18  subsection  (b)  may  not  disclose  protected  health  informa- 

19  tion  for  any  purpose  that  is  not  described  in  subsection 

20  (b).  Notwithstanding  any  other  provision  of  law,  any 

21  health  care  provider,  health  plan,  health  oversight  agency, 

22  health  researcher,  employer,  life  insurer,  school  or  univer- 

23  sity  who  makes  a  good  faith  disclosure  of  protected  health 

24  information  to  an  entity  and  for  the  purposes  described 
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1  in  subsection  (b)  shall  not  be  liable  for  subsequent  disclo- 

2  sures  by  such  entity. 


3  (d)  Scope.— 

4  (1)  In  general. — The  use  of  protected  health 

5  information  by  a  person  described  in  subsection  (b) 

6  and  its  agents  shall  not  be  considered  a  disclosure 

7  for  purposes  of  this  Act,  so  long  as  the  use  involved 

8  is  consistent  with  the  activities  authorized  in  sub- 

9  section  (b)  or  other  purposes  for  which  the  informa- 
i  0  tion  was  lawfully  obtained. 

11  (2)  Regulated  institutions. — A  person  who 

12  is  subject  to  enforcement  pursuant  to  section  8  of 

13  the  Federal  Deposit  Insurance  Act  or  who  is  a  Fed- 

14  eral  credit  union  or  State  credit  union  as  defined  in 
I  5  the  Federal  Credit  Union  Act  or  who  is  registered 

16  pursuant  to  the  Securities  and  Exchange  Act,  or 

1 7  who  is  an  entity  assisting  such  a  person — 

18  (A)  shall  not  be  subject  to  this  Act  to  the 

1 9  extent  that  such  person  or  entity  is  described  in 

20  subsection  (b)  and  to  the  extent  that  such  per- 

21  son  or  entity  is  engaged  in  activities  authorized 

22  in  that  subsection;  and 

23  (B)  shall  be  subject  to  enforcement  exclu- 

24  sively  under  section  8  of  the  Federal  Deposit 

25  Insurance  Act,  the  Federal  Credit  Union  Act, 
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1  or  the  Securities  and  Exchange  Act,  as  applica- 

2  ble,  to  the  extent  that  such  person  or  entity  is 

3  engaged  in  activities  other  than  those  permitted 

4  under  subsection  (b). 

5  (3)  Rule  of  construction. — Nothing  in  this 

6  subsection  shall  be  deemed  to  exempt  entities  de- 

7  scribed  in  paragraph  (2)  from  the  prohibition  set 

8  forth  in  subsection  (c). 

9  SEC.  212.  INDIVIDUAL  REPRESENTATP/ES. 

10  (a)  In  General. — Except  as  provided  in  subsections 


1 1  (b)  and  (c),  a  person  who  is  authorized  by  law  (based  on 

12  grounds  other  than  the  individual  being  a  minor),  or  by 

13  an  instrument  recognized  under  law,  to  act  as  an  agent, 

14  attorney,  proxy,  or  other  legal  representative  of  a  pro- 

15  tected  individual,  may,  to  the  extent  so  authorized,  exer- 

16  cise  and  discharge  the  rights  of  the  individual  under  this 

17  Act. 

18  (b)  Health  Care  Power  of  Attorney. — A  person 

19  who  is  authorized  by  law  (based  on  grounds  other  than 

20  being  a  minor),  or  by  an  instrument  recognized  under  law, 

21  to  make  decisions  about  the  provision  of  health  care  to 

22  an  individual  who  is  incapacitated,  may  exercise  and  dis- 

23  charge  the  rights  of  the  individual  under  this  Act  to  the 

24  extent  necessary  to  effectuate  the  terms  or  purposes  of 

25  the  grant  of  authority. 
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1  (c)  No  Court  Declaration. — If  a  health  care  pro- 

2  vider  determines  that  an  individual,  who  has  not  been  de- 

3  elared  to  be  legally  incompetent,  suffers  from  a  medical 

4  condition  that  prevents  the  individual  from  acting  know- 

5  ingly  or  effectively  on  the  individual's  own  behalf,  the  right 

6  of  the  individual  to  authorize  disclosure  under  this  Act 

7  may  be  exercised  and  discharged  in  the  best  interest  of 

8  the  individual  by — 

9  (1)  a  person  described  in  subsection  (b)  with  re- 

10  spect  to  the  individual; 

11  (2)  a  person  described  in  subsection  (a)  with  re- 

12  spect  to  the  individual,  but  only  if  a  person  de- 

13  scribed  in  paragraph  (1)  cannot  be  contacted  after 

14  a  reasonable  effort; 

15  (3)  the  next  of  kin  of  the  individual,  but  only 

16  if  a  person  described  in  paragraph  (1)  or  (2)  cannot 

17  be  contacted  after  a  reasonable  effort;  or 

18  (4)  the  health  care  provider,  but  only  if  a  per- 

19  son  described  in  paragraph  (1),  (2),  or  (3)  cannot  be 

20  contacted  after  a  reasonable  effort. 

21  (d)  Application  to  Deceased  Individuals. — The 

22  provisions  of  this  Act  shall  continue  to  prevent  disclosure 

23  of  protected  health  information  concerning  a  deceased  in- 

24  dividual. 
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1  (e)  Exercise  of  Rights  on  Behalf  of  a  De- 

2  ceased  Individual. — 

3  (1)  In  GENERAL. — A  person  who  is  authorized 

4  by  law  or  by  an  instrument  recognized  under  law,  to 

5  act  as  an  executor  of  the  estate  of  a  deceased  indi- 

6  vidual,  or  otherwise  to  exercise  the  rights  of  the  de- 

7  ceased  individual,  may,  to  the  extent  so  authorized, 

8  exercise  and  discharge  the  rights  of  such  deceased 

9  individual  under  this  Act  for  a  period  of  2  years  fol- 

10  lowing  the  death  of  such  individual.  If  no  such  des- 

1 1  ignee  has  been  authorized,  the  rights  of  the  deceased 

12  individual  may  be  exercised  as  provided  for  in  sub- 

13  section  (c). 

14  (2)  Insured  individuals. — In  the  case  of  an 

15  individual  who  is  deceased  and  who  was  the  insured 

16  under  an  insurance  policy  or  policies,  the  right  to 

17  authorize  disclosure  of  protected  health  information 

18  may  be  exercised  by  the  beneficiary  or  beneficiaries 

19  of  such  insurance  policy  or  policies. 

20  (f)  Rights  of  Minors. — The  rights  of  minors  under 

21  this  Act  shall  be  exercised  by  a  parent,  the  minor  or  other 

22  person  as  provided  under  applicable  state  law. 

23  SEC.  213.  NO  LIABILITY  FOR  PERMISSIBLE  DISCLOSURES. 

24  A  health  care  provider,  health  plan,  health  oversight 

25  agency,  health  researcher,  employer,  life  insurer,  school, 


•HR  2470  IH 


54 

1  or  university,  or  an  agent  of  such  persons,  that  makes  a 

2  disclosure  of  protected  health  information  about  an  indi- 

3  vidual  that  is  permitted  by  this  Act  shall  not  be  liable  to 

4  the  individual  for  such  disclosure  under  common  law. 

5  SEC.  214.  SALE  OF  BUSINESS,  MERGERS,  ETC. 

6  (a)  Ix  Gexeral. — A  health  care  provider,  health 

7  plan,  health  oversight  agency,  employer,  life  insurer, 

8  school,  or  university  may  disclose  protected  health  infor- 

9  mation  to  a  person  or  persons  for  purposes  of  enabling 

10  business  decisions  to  be  made  about  or  in  connection  with 

11  the  purchase,  transfer,  merger,  or  sale  of  a  business  or 

12  businesses. 

13  (b)  No  Further  Disclosure. — A  person  or  per- 

14  sons  who  receive  protected  health  information  under  this 

15  section  shall  make  no  further  use  or  disclosure  of  such 

16  information  unless  otherwise  authorized  under  this  Act. 

17  TITLE  III— SANCTIONS 
Subtitle  A — Criminal  Provisions 

19  SEC.    301.    WRONGFUL    DISCLOSURE    OF  PROTECTED 

20  HEALTH  INFORMATION. 

21  (a)  In  General. — Part  I  of  title  18,  United  States 

22  Code,  is  amended  by  adding  at  the  end  the  following: 
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1  "CHAPTER  124— WRONGFUL  DISCLOSURE 

2  OF  PROTECTED  HEALTH  INFORMATION 

3  "§2801.  Wrongful  disclosure  of  protected  health  in- 

4  formation 

5  "(a)  OFFENSE. — The  penalties  described  in  sub- 

6  section  (b)  shall  apply  to  a  person  that  knowingly  and 

7  intentionally — 

8  "(1)  obtains  protected  health  information  relat- 

9  ing  to  an  individual  from  a  health  care  provider, 

10  health  plan,  health  oversight  agency,  public  health 

11  authority,  employer,  life  insurer,  health  researcher, 

12  law  enforcement  official,  school,  or  university  except 

13  as  provided  in  title  II  of  the  Medical  Information 

14  Protection  Act  of  1999;  or 

15  "(2)  discloses  protected  health  information  to 

16  another  person  in  a  manner  other  than  that  which 

17  is  permitted  under  title  II  of  the  Medical  Informa- 

18  tion  Protection  Act  of  1999. 

19  "(b)  Penalties. — A  person  described  in  subsection 

20  (a)  shall— 

21  "(1)  be  fined  not  more  than  $50,000,  impris- 

22  oned  not  more  than  1  year,  or  both; 

23  "(2)  if  the  offense  is  committed  under  false  pre- 

24  tenses,  be  fined  not  more  than  $100,000,  imprisoned 

25  not  more  than  5  years,  or  both;  or 
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1  "(3)  if  the  offense  is  committed  with  the  intent 

2  to  sell,  transfer,  or  use  protected  health  information 

3  for  monetary  gain  or  malicious  harm,  be  fined  not 

4  more  than  $250,000,  imprisoned  not  more  than  10 

5  years,  or  both. 

6  "(c)  Subsequent  Offenses. — In  the  case  of  a  per- 

7  son  described  in  subsection  (a),  the  maximum  penalties 

8  described  in  subsection  (b)  shall  be  doubled  for  every  sub- 

9  sequent  conviction  for  an  offense  arising  out  of  a  violation 

10  or  violations  related  to  a  set  of  circumstances  that  are  dif- 

1 1  ferent  from  those  involved  in  the  previous  violation  or  set 

12  of  related  violations  described  in  such  subsection  (a).". 

13  (b)  Clerical  Amendment. — The  table  of  chapters 

14  for  part  I  of  title  18,  United  States  Code,  is  amended  by 

15  inserting  after  the  item  relating  to  chapter  123  the  fol- 

16  lowing  new  item: 

"See.  2801.  Wrongful  disclosure  of  protected  health  information.". 

7  Subtitle  B — Civil  Sanctions 

1 8  SEC.  311.  CIVIL  PENALTY  VIOLATION. 

19  A  person  who  the  Secretary,  in  consultation  with  the 

20  Attorney  General,  determines  has  substantially  and  mate- 

21  rially  failed  to  comply  with  this  Act  shall  be  subject,  in 

22  addition  to  any  other  penalties  that  may  be  prescribed  by 

23  law — 

24  (1)  in  a  case  in  which  the  violation  relates  to 

25  title  I,  to  a  civil  penalty  of  not  more  than  $500  for 
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1  each  such  violation,  but  not  to  exceed  $5,000  in  the 

2  aggregate  for  multiple  violations  arising  from  the 

3  same  failure  to  comply  with  the  Act; 

4  (2)  in  a  case  in  which  the  violation  relates  to 

5  title  II,  to  a  civil  penalty  of  not  more  than  $10,000 

6  for  each  such  violation,  but  not  to  exceed  $50,000 

7  in  the  aggregate  for  multiple  violations  arising  from 

8  the  same  failure  to  comply  with  the  Act;  or 

9  (3)  in  a  case  in  which  the  Secretary  finds  that 

10  such  violations  have  occurred  with  such  frequency  as 

11  to  constitute  a  general  business  practice,  to  a  civil 

12  penalty  of  not  more  than  $100,000. 

1 3  SEC.  312.  PROCEDURES  FOR  IMPOSITION  OF  PENALTIES. 

14  (a)  Initiation  of  Proceedings. — 

15  (1)  In  GENERAL. — The  Secretary,  in  consulta- 

16  tion  with  the  Attorney  General,  may  initiate  a  pro- 

17  ceeding  to  determine  whether  to  impose  a  civil 

18  money  penalty  under  section  311.  The  Secretary 

19  may  not  initiate  an  action  under  this  section  with  re- 

20  spect  to  any  violation  described  in  section  311  after 

21  the  expiration  of  the  6-year  period  beginning  on  the 

22  date  on  which  such  violation  was  alleged  to  have  oc- 

23  curred.  The  Secretary  ma}r  initiate  an  action  under 

24  this  section  by  serving  notice  of  the  action  in  any 
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1  manner  authorized  by  Rule  4  of  the  Federal  Rules 

2  of  Civil  Procedure. 

3  (2)  Notice  and  opportunity  for  hear- 

4  ING. — The  Secretary  shall  not  make  a  determination 

5  adverse  to  any  person  under  paragraph  (1)  until  the 

6  person  has  been  given  written  notice  and  an  oppor- 

7  tunity  for  the  determination  to  be  made  on  the 

8  record  after  a  hearing  at  which  the  person  is  entitled 

9  to  be  represented  by  counsel,  to  present  witnesses, 

10  and  to  cross-examine  witnesses  against  the  person. 

11  (3)  Sanctions  for  failure  to  comply. — 
1  2  The  official  conducting  a  hearing  under  this  section 
13  may  sanction  a  person,  including  any  party  or  attor- 
1  4  ney,  for  failing  to  comply  with  an  order  or  proce- 

15  dure,  failing  to  defend  an  action,  or  other  mis- 

16  conduct  as  would  interfere  with  the  speedy,  orderly, 

17  or  fair  conduct  of  the  hearing.  Such  sanction  shall 

18  reasonably  relate  to  the  severity  and  nature  of  the 

19  failure  or  misconduct.  Such  sanction  may  include — 

20  (A)  in  the  case  of  refusal  to  provide  or  per- 

21  mit  discovery,  drawing  negative  factual  infer- 

22  ences  or  treating  such  refusal  as  an  admission 

23  by  deeming  the  matter,  or  certain  facts,  to  be 

24  established; 
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1  (B)  prohibiting  a  party  from  introducing 

2  certain  evidence  or  otherwise  supporting  a  par- 

3  ticular  claim  or  defense; 

4  (C)  striking  pleadings,  in  whole  or  in  part; 

5  (D)  staying  the  proceedings; 

6  (E)  dismissal  of  the  action; 

7  (F)  entering  a  default  judgment; 

8  (G)  ordering  the  party  or  attorney  to  pay 

9  attorneys'  fees  and  other  costs  caused  by  the 

10  failure  or  misconduct;  and 

11  (H)  refusing  to  consider  any  motion  or 

12  other  action  which  is  not  filed  in  a  timely  man- 

13  ner. 

14  (b)    Scope   of   Penalty. — In   determining  the 

15  amount  or  scope  of  any  penalty  imposed  pursuant  to  sec- 

16  tion  311,  the  Secretary  shall  take  into  account — 

17  (1)  the  nature  of  claims  and  the  circumstances 

1 8  under  which  they  were  presented; 

19  (2)  the  degree  of  culpability,  history  of  prior  of- 

20  fenses,  and  financial  condition  of  the  person  pre- 

21  senting  the  claims; 

22  (3)  evidence  of  good  faith  endeavor  to  protect 

23  the  confidentiality  of  protected  health  information; 

24  and 

25  (4)  such  other  matters  as  justice  may  require. 
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1  (c)  Review  of  Determination. — 

2  (1)  In  general. — Any  person  adversely  af- 

3  fected  by  a  determination  of  the  Secretary  under 

4  this  section  may  obtain  a  review  of  such  determina- 

5  tion  in  the  United  States  Court  of  Appeals  for  the 

6  circuit  in  which  the  person  resides,  or  in  which  the 

7  claim  was  presented,  by  filing  in  such  court  (within 

8  60  days  following  the  date  the  person  is  notified  of 

9  the  determination  of  the  Secretary)  a  written  peti- 

10  tion  requesting  that  the  determination  be  modified 

1 1  or  set  aside. 

12  (2)  Filing  of  record. — A  copy  of  the  petition 

13  filed  under  paragraph  (1)  shall  be  forthwith  trans- 

14  mitted  by  the  clerk  of  the  court  to  the  Secretary, 

15  and  thereupon  the  Secretary  shall  file  in  the  Court 

16  the  record  in  the  proceeding  as  provided  in  section 

17  2112  of  title  28,  United  States  Code.  Upon  such  fil- 

18  ing,  the  court  shall  have  jurisdiction  of  the  pro- 

19  ceeding  and  of  the  question  determined  therein,  and 

20  shall  have  the  power  to  make  and  enter  upon  the 

21  pleadings,  testimony,  and  proceedings  set  forth  in 

22  such  record  a  decree  affirming,  modifying,  remand- 

23  ing  for  further  consideration,  or  setting  aside,  in 

24  whole  or  in  part,  the  determination  of  the  Secretary 
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1  and  enforcing  the  same  to  the  extent  that  such  order 

2  is  affirmed  or  modified. 

3  (3)  Consideration  of  objections. — No  ob- 

4  jection  that  has  not  been  raised  before  the  Secretary 

5  with  respect  to  a  determination  described  in  para- 

6  graph  (1)  shall  be  considered  by  the  court,  unless 

7  the  failure  or  neglect  to  raise  such  objection  shall  be 

8  excused  because  of  extraordinary  circumstances. 

9  (4)  FINDINGS. — The  findings  of  the  Secretary 

10  with  respect  to  questions  of  fact  in  an  action  under 

11  this  subsection,  if  supported  by  substantial  evidence 

12  on  the  record  considered  as  a  whole,  shall  be  conclu- 

13  sive.  If  any  party  shall  apply  to  the  court  for  leave 

14  to  adduce  additional  evidence  and  shall  show  to  the 

15  satisfaction  of  the  court  that  such  additional  evi- 

16  dence  is  material  and  that  there  were  reasonable 

17  grounds  for  the  failure  to  adduce  such  evidence  in 

18  the  hearing  before  the  Secretary,  the  court  may 

19  order  such  additional  evidence  to  be  taken  before  the 

20  Secretary  and  to  be  made  a  part  of  the  record.  The 

21  Secretary  may  modify  findings  as  to  the  facts,  or 

22  make  new  findings,  by  reason  of  additional  evidence 

23  so  taken  and  filed,  and  shall  file  with  the  court  such 

24  modified  or  new  findings,  and  such  findings  with  re- 

25  spect  to  questions  of  fact,  if  supported  by  substan- 
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1  tial  evidence  on  the  record  considered  as  a  whole, 

2  and  the  recommendations  of  the  Secretary,  if  any, 

3  for  the  modification  or  setting  aside  of  the  original 

4  order,  shall  be  conclusive. 

5  (5)  Exclusive  jurisdiction. — Upon  the  filing 

6  of  the  record  with  the  court  under  paragraph  (2), 

7  the  jurisdiction  of  the  court  shall  be  exclusive  and  its 

8  judgment  and  decree  shall  be  final,  except  that  the 

9  same  shall  be  subject  to  review  by  the  Supreme 

10  Court  of  the  United  States,  as  provided  for  in  sec- 

11  tion  1254  of  title  28,  United  States  Code. 

12  (d)  Recovery  of  Penalties. — 

13  (1)  In  general. — Civil  money  penalties  im- 

1 4  posed  under  this  subtitle  may  be  compromised  by 

15  the  Secretary  and  may  be  recovered  in  a  civil  action 

16  in  the  name  of  the  United  States  brought  in  United 

1 7  States  district  court  for  the  district  where  the  claim 

18  was  presented,  or  where  the  claimant  resides,  as  de- 

19  termined  by  the  Secretary.  Amounts  recovered  under 

20  this  section  shall  be  paid  to  the  Secretary  and  depos- 
2 !  ited  as  miscellaneous  receipts  of  the  Treasury  of  the 

22  United  States. 

23  (2)  Deduction  from  amounts  owing. — The 

24  amount  of  any  penalty,  when  finally  determined 

25  under  this  section,  or  the  amount  agreed  upon  in 

•HR  2470  IH 


63 

1  compromise  under  paragraph  (1),  may  be  deducted 

2  from  any  sum  then  or  later  owing  by  the  United 

3  States  or  a  State  to  the  person  against  whom  the 

4  penalty  has  been  assessed. 

5  (e)  Determination  Final. — A  determination  by 

6  the  Secretary  to  impose  a  penalty  under  section  321  shall 

7  be  final  upon  the  expiration  of  the  60-day  period  referred 

8  to  in  subsection  (c)(1).  Matters  that  were  raised  or  that 

9  could  have  been  raised  in  a  hearing  before  the  Secretary 

10  or  in  an  appeal  pursuant  to  subsection  (c)  may  not  be 

1 1  raised  as  a  defense  to  a  civil  action  by  the  United  States 

12  to  collect  a  penalty  under  section  321. 

13  (f)  Subpoena  Authority. — 

14  (1)  In  general. — For  the  purpose  of  any 

15  hearing,  investigation,  or  other  proceeding  author- 

16  ized  or  directed  under  this  section,  or  relative  to  any 

17  other  matter  within  the  jurisdiction  of  the  Attorney 

18  General  hereunder,  the  Attorney  General,  acting 

19  through  the  Secretary  shall  have  the  power  to  issue 

20  subpoenas  requiring  the  attendance  and  testimony  of 

21  witnesses  and  the  production  of  any  evidence  that 

22  relates  to  any  matter  under  investigation  or  in  ques- 

23  tion  before  the  Secretary.  Such  attendance  of  wit- 

24  nesses  and  production  of  evidence  at  the  designated 

25  place  of  such  hearing,  investigation,  or  other  pro- 
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1  ceeding  may  be  required  from  any  place  in  the 

2  United  States  or  in  any  Territory  or  possession 

3  thereof. 

4  (2)    Service. — Subpoenas   of  the  Secretary 

5  under  paragraph  (1)  shall  be  served  by  anyone  au- 

6  thorized  by  the  Secretary  by  delivering  a  copy  there- 

7  of  to  the  individual  named  therein. 

8  (3)  Proof  of  service. — A  verified  return  by 

9  the  individual  serving  the  subpoena  under  this  sub- 

10  section  setting  forth  the  manner  of  service  shall  be 

1 1  proof  of  service. 

12  (4)  Fees. — Witnesses  subpoenaed  under  this 

13  subsection  shall  be  paid  the  same  fees  and  mileage 

14  as  are  paid  witnesses  in  the  district  court  of  the 

15  United  States. 

16  (5)  Refusal  to  obey. — In  case  of  contumacy 

17  by,  or  refusal  to  obey  a  duly  served  upon,  any  per- 

18  son,  any  district  court  of  the  United  States  for  the 

19  judicial  district  in  which  such  person  charged  with 

20  contumacy  or  refusal  to  obey  is  found  or  resides  or 

21  transacts  business,  upon  application  by  the  Sec- 

22  retary,  shall  have  jurisdiction  to  issue  an  order  re- 

23  quiring  such  person  to  appear  and  give  testimony,  or 

24  to  appear  and  produce  evidence,  or  both.  Any  failure 
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1  to  obey  such  order  of  the  court  may  be  punished  by 

2  the  court  as  contempt  thereof. 

3  (g)  Injunctive  Relief. — Whenever  the  Secretary 

4  has  reason  to  believe  that  any  person  has  engaged,  is  en- 

5  gaging,  or  is  about  to  engage  in  any  activity  which  makes 

6  the  person  subject  to  a  civil  monetary  penalty  under  sec- 

7  tion  311,  the  Secretary  may  bring  an  action  in  an  appro- 

8  priate  district  court  of  the  United  States  (or,  if  applicable, 

9  a  United  States  court  of  any  territory)  to  enjoin  such  ac- 

10  tivity,  or  to  enjoin  the  person  from  concealing,  removing, 

1 1  encumbering,  or  disposing  of  assets  which  may  be  required 

12  in  order  to  pay  a  civil  monetary  penalty  if  any  such  pen- 

13  alty  were  to  be  imposed  or  to  seek  other  appropriate  relief. 

14  (h)  Agency. — A  principal  is  liable  for  penalties 

15  under  section  311  for  the  actions  of  the  principal's  agent 

1 6  acting  within  the  scope  of  the  agency. 

17  SEC.  313.  ENFORCEMENT  BY  STATE  INSURANCE  COMMIS- 

18  SIONERS. 

19  (a)  State  Penalties. — Subject  to  section  401,  and 

20  notwithstanding  any  other  provision  of  this  title,  a  state 

21  insurance  commissioner  of  the  State  of  domicile  of  a  life 

22  insurer  may  exercise  exclusive  authority  to  impose  any 

23  penalties  on  a  life  insurer  for  violations  of  this  Act  pursu- 

24  ant  to  the  administrative  procedures  provided  under  that 

25  State's  insurance  laws. 

•HR  2470  IH 


66 

1  (b)  Fail-Safe  Federal  Authority. — In  the  case 

2  of  a  State  that  fails  to  substantially  enforce  the  require- 

3  ments  of  title  I  and  title  II  of  this  Act  with  respect  to 

4  life  insurers  regulated  by  such  State,  the  provisions  of  this 

5  title  shall  apply  with  respect  to  a  life  insurer  in  the  same 

6  way  that  they  apply  to  other  persons  subject  to  the  Act. 

7  TITLE  IV— MISCELLANEOUS 

8  SEC.  401.  RELATIONSHIP  TO  OTHER  LAWS. 

9  (a)  State  and  Federal  Law. — Except  as  provided 

10  in  this  section,  the  provisions  of  this  Act  shall  preempt 

1 1  any  State  law  that  relates  to  matters  covered  by  this  Act. 

1 2  Nothing  in  this  Act  shall  be  construed  to  preempt,  modify, 

13  repeal  or  affect  the  interpretation  of  a  provision  of  State 

14  or  Federal  law  that  relates  to  the  disclosure  of  protected 

1 5  health  information  or  any  other  information  about  a  minor 

16  to  a  parent  or  guardian  of  such  minor.  This  Act  shall  not 

17  be  construed  as  repealing,  explicitly  or  implicitly,  other 

18  Federal  laws  or  regulations  relating  to  protected  health 

19  information  or  relating  to  an  individual's  access  to  pro- 

20  tected  health  information  or  health  care  services. 

21  (b)  Privileges. — Nothing  in  this  title  shall  be  con- 

22  strued  to  preempt  or  modify  any  provisions  of  State  statu- 

23  tory  or  common  law  to  the  extent  that  such  law  concerns 

24  a  privilege  of  a  witness  or  person  in  a  court  of  that  State. 

25  This  title  shall  not  be  construed  to  supersede  or  modify 
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1  any  provision  of  Federal  statutory  or  common  law  to  the 

2  extent  such  law  concerns  a  privilege  of  a  witness  or  person 

3  in  a  court  of  the  United  States.  Authorizations  pursuant 

4  to  sections  202  and  203  shall  not  be  construed  as  a  waiver 

5  of  any  such  privilege. 

6  (c)    Reports    Concerning   Federal  Privacy 

7  Act. — Not  later  than  1  year  after  the  date  of  enactment 

8  of  this  Act,  the  head  of  each  Federal  agency  shall  prepare 

9  and  submit  to  Congress  a  report  concerning  the  effect  of 

10  this  Act  on  each  such  agency.  Such  reports  shall  include 

1 1  recommendations  for  legislation  to  address  concerns  relat- 

12  ing  to  the  Federal  Privacy  Act. 


13  (d)  Application  to  Certain  Federal  Agex- 

14  cies. — 

15  (1)  Departmext  op  defexse. — 

16  (A)  Exceptioxs. — The  Secretary  of  De- 

17  fense  may,  by  regulation,  establish  exceptions  to 

18  the  disclosure  requirements  of  this  Act  to  the 

19  extent  such  Secretary  determines  that  disclo- 

20  sure  of  protected  health  information  relating  to 

21  members  of  the  armed  forces  from  systems  of 

22  records  operated  by  the  Department  of  Defense 

23  is  necessary  under  circumstances  different  from 

24  those  permitted  under  this  Act  for  the  proper 
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1  conduct  of  national  defense  functions  by  mem- 

2  bers  of  the  armed  forces. 

3  (B)  Application  to  civilian  employ- 

4  EES. — The  Secretary  of  Defense  may,  by  regu- 

5  lation,  establish  for  civilian  employees  of  the 

6  Department  of  Defense  and  employees  of  De- 

7  partment  of  Defense  contractors,  limitations  on 

8  the  right  of  such  persons  to  revoke  or  amend 

9  authorizations  for  disclosures  under  section  203 

10  when  such  authorizations  were  provided  by  such 

1 1  employees  as  a  condition  of  employment  and 

12  the  disclosure  is  determined  necessary  by  the 

13  Secretary  of  Defense  to  the  proper  conduct  of 

14  national  defense  functions  by  such  employees. 

15  (2)  Department  of  transportation.  

16  (A)     Exceptions. — The    Secretary  of 

17  Transportation  may,  with  respect  to  members 

18  of  the  Coast  Guard,  exercise  the  same  powers 

19  as  the  Secretary  of  Defense  may  exercise  under 

20  paragraph  (1)(A). 

21  (B)  Application  to  civilian  employ- 

22  EES. — The  Secretary  of  Transportation  may, 

23  with  respect  to  civilian  employees  of  the  Coast 

24  Guard  and  Coast  Guard  contractors,  exercise 
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1  the  same  powers  as  the  Secretary  of  Defense 

2  may  exercise  under  paragraph  (1)(B). 

3  (3)  Department  of  veterans  affairs. — 

4  The  limitations  on  use  and  disclosure  of  protected 

5  health  information  under  this  Act  shall  not  be  con- 

6  strued  to  prevent  any  exchange  of  such  information 

7  within  and  among  components  of  the  Department  of 

8  Veterans  Affairs  that  determine  eligibility  for  or  en- 

9  titlement  to,  or  that  provide,  benefits  under  laws  ad- 

10  ministered  by  the  Secretary  of  Veteran  Affairs. 

1 1  SEC.  402.  CONFORMING  AMENDMENT. 

12  Section  1171(6)  of  the  Social  Security  Act  (42  U.S.C. 

13  1320d(6))  is  amended  to  read  as  follows: 

14  "(6)  Individually  identifiable  health  in- 

15  formation. — The    term    'individually  identifiable 

16  health  information'  has  the  same  meaning  given  the 

17  term  'protected  health  information'  by  section  2  of 

18  the  Medical  Information  Protection  Act  of  1999.". 

19  SEC.  403.  STUDY  BY  INSTITUTE  OF  MEDICINE. 

20  Not  later  than  2  years  after  the  date  of  enactment 

21  of  this  Act,  the  National  Research  Council  in  conjunction 

22  with  the  Institute  of  Medicine  of  the  National  Academy 

23  of  Sciences  shall  conduct  a  study  to  examine  research 

24  issues  relating  to  protected  health  information,  such  as  the 

25  quality  and  uniformity  of  institutional  review  boards  and 
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1  their  practices  with  respect  to  data  management  for  both 

2  researchers  and  institutional  review  boards,  as  well  as  cur- 

3  rent  and  proposed  protection  of  health  information  in  rela- 

4  tion  to  the  legitimate  needs  of  law  enforcement.  The  Coun- 

5  cil  shall  prepare  and  submit  to  Congress  a  report  con- 

6  cerning  the  results  of  such  study. 

7  SEC.  404.  EFFECTIVE  DATE. 

8  (a)  Effective  Date. — Except  as  provided  in  sub- 

9  section  (b),  this  Act  shall  take  effect  on  the  date  that  is 

10  12  months  after  the  date  on  which  regulations  are  promul- 

1 1  gated  as  required  under  subsection  (c). 

12  (b)  Applicability. — The  provisions  of  this  Act  shall 

13  only  apply  to  protected  health  information  collected  and 

14  disclosed  12  months  after  the  date  on  which  regulations 

15  are  promulgated  as  required  under  subsection  (c). 

1 6  (c)  Regulations. — Not  later  than  12  months  after 

17  the  date  of  enactment  of  this  Act,  the  Secretary  shall,  in 

18  consultation  with  the  National  Committee  on  Vital  and 

19  Health  Statistics,  promulgate  regulations  implementing 

20  this  Act. 

21  (d)  Exception. — If,  not  later  than  18  months  after 

22  the  date  of  enactment  of  this  Act,  the  Secretary  has  not 

23  promulgated  the  regulations  required  under  subsection  (c), 

24  the  effective  date  for  purposes  of  subsections  (a)  and  (b) 

25  shall  be  the  date  that  is  30  months  after  the  date  of  enact- 
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1  ment  of  this  Act  or  12  months  after  the  promulgation  of 

2  such  regulations,  whichever  is  earlier. 

O 
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